CVE-2020-25701
MEDIUMMoodle 3.5.0-3.5.14, 3.7.0-3.7.8, 3.8.0-3.8.5, 3.9.0-3.9.2 - Improper Access Control via Upload Course Tool
Title source: llmDescription
If the upload course tool in Moodle was used to delete an enrollment method which did not exist or was not already enabled, the tool would erroneously enable that enrollment method. This could lead to unintended users gaining access to the course. Versions affected: 3.9 to 3.9.2, 3.8 to 3.8.5, 3.7 to 3.7.8, 3.5 to 3.5.14 and earlier unsupported versions. This is fixed in moodle 3.9.3, 3.8.6, 3.7.9, 3.5.15, and 3.10.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1895432
Vendor Advisory x_refsource_misc
https://moodle.org/mod/forum/discuss.php?d=413939
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/B55KXBVAT45MDASJ3EK6VIGQOYGJ4NH6/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NNFCHPPHRJNJROIX6SYMHOC6HMKP3GU/
Scores
CVSS v3
5.3
EPSS
0.0034
EPSS Percentile
57.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-284
CWE-863
Status
published
Products (4)
fedoraproject/fedora
32
fedoraproject/fedora
33
moodle/moodle
3.5.0 - 3.5.14
moodle/moodle
3.9.0 - 3.9.3Packagist
Published
Nov 19, 2020
Tracked Since
Feb 18, 2026